Bug 274449

Summary: [JSC] Use `RegExp.prototype[@@split]` slow path if `hasIndices` and `dotAll` getters has been overwritten
Product: WebKit Reporter: Sosuke Suzuki <aosukeke>
Component: JavaScriptCoreAssignee: Nobody <webkit-unassigned>
Status: RESOLVED FIXED    
Severity: Normal CC: webkit-bug-importer
Priority: P2 Keywords: InRadar
Version: WebKit Local Build   
Hardware: Unspecified   
OS: Unspecified   

Description Sosuke Suzuki 2024-05-21 00:23:42 PDT 
`RegExp.prototype[@@split]` calls the `hasIndices` and `dotAll` getters via the `flags`
    getter[1]. If these getters are overwritten, observable side effects may occur. However, the fast
    path skips these getter calls.

    [1]: https://tc39.es/ecma262/multipage/text-processing.html#sec-regexp.prototype-@@split
Comment 1 Sosuke Suzuki 2024-05-21 00:32:21 PDT 
Pull request: https://github.com/WebKit/WebKit/pull/28835
Comment 2 Radar WebKit Bug Importer 2024-05-28 00:24:13 PDT 
<rdar://problem/128849967>
Comment 3 EWS 2024-06-11 05:16:37 PDT 
Committed 279905@main (b03cf953dce9): <https://commits.webkit.org/279905@main>

Reviewed commits have been landed. Closing PR #28835 and removing active labels.